I’m kind of an asshole about privacy. Which is why when GDPR came out, I was all over it. It’s not perfect by any means as regulation (let alone enforcement), but it’s a strong step in the right direction.

Which is why it annoys me so much when companies don’t follow it. Even though I’m not an EU resident/citizen, I’m a stickler for it, because for the most part, the principles enshrined in it also just make good product sense.

One of the articles I often come back to is Art. 25, Data Protect by Design & By Default, one of whose clauses reads:

“In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

For context: Midjourney has presently three paid tiers, at $10, $30, and $60 per month. It is only at the highest paid tier ($60/mo), that Midjourney offers what they call “Stealth image generation.” Unless you pay $60/mo, and also actively turn on ‘stealth mode,’ all images that you create using the service will be automatically made public in their member galleries (accessible to an indefinite number of persons), and in a section of their site where users rank pairs of images to help train their AI models. 

Also, it’s worth noting that the default generation behavior – if you’re using the public Discord (I use my own private server, partly for this reason), all your images are shared in a terrible mess with everyone else’s generations. I’ve seen rationale from the CEO claiming that the reason for this is acceleration that occurs, synergy between many people’s prompts, etc. I guess that’s fine, but I think it breaks GDPR.

From the FAQ on Midjourney’s logged in account page:

“We are building an open-by-default community focused on collective exploration and fun. If you have a need to opt-out of this and be private-by-default you can subscribe to the $60/mo pro plan and activate stealth generation with the /stealth command.”

As a privacy professional with certifications in GDPR compliance, I find this pretty abhorrent as a practice. If privacy is indeed a human right (I believe it is), then it is reprehensible to only offer it for sale to those willing and able to pay the highest price for it.

Hence, I took my frustration on this matter to multiple Data Protection Authorities in the EU, after receiving no response from Midjourney staff about any of this over several months.

Two issues: as a non-EU person, I don’t really have standing to file a complaint insofar as it impacts me personally. So I filed it as a “request to investigate,” and gave them all the necessary information.

Second, it seems like the DPAs are extremely slow, bureaucratic, and ineffective as enforcement bodies. I could be wrong, but this isn’t my first rodeo, and I’ve seen how brush-offs work in the past. I sent my complaint out to email addresses I found for about 7 or so DPAs in different countries, and nearly half of them were bounced. I noticed also France’s CNIL doesn’t even have an email address… wtf?

Anyway, if you’re at all concerned about these issues, and not into letting tech companies get a free pass because they are Americans and think global laws don’t apply to them (or ought not), AND you’re an EU resident or citizen, I would strongly encourage you to find the DPA in your country and file complaints against Midjourney so that they – and all the others – end this gross practice of selling privacy.

Related writing & research